Terraform Modules
Drop-in replacements for terraform-aws-modules with compliance controls enforced at terraform plan time. Same arguments, same outputs.
34 modules across 8 categories. Each one is API-compatible with its upstream terraform-aws-modules counterpart. Change the source URL, run terraform plan, and controls are checked before anything gets deployed.
Storage
EFS
Amazon EFS file systems with mount targets, access points, backup policies, lifecycle management, encryption at rest, and security group controlled NFS access.
2 controls18 frameworks
FSxAmazon FSx file systems for Windows, Lustre, NetApp ONTAP, or OpenZFS with storage capacity, throughput, backups, encryption, and deployment in private subnets.
5 controls4 frameworks
S3 BucketS3 buckets with versioning, default encryption, public access blocks, bucket policies, access logging, lifecycle rules, replication, event notifications, and optional object lock controls.
19 controls28 frameworks
Compute & Containers
Autoscaling
Auto Scaling groups with launch templates, instance refresh, health checks, scaling policies, mixed instance options, IAM instance profiles, and security group based network controls.
2 controls5 frameworks
EC2 InstanceEC2 instances with IAM roles, EBS encryption, IMDSv2, security groups, detailed monitoring, user data, placement options, and optional Elastic IPs or attached volumes.
16 controls26 frameworks
LambdaLambda functions with IAM execution roles, VPC configuration, log groups, reserved concurrency, dead letter handling, environment variables, code signing support, and optional KMS encryption.
11 controls21 frameworks
ECSECS clusters, services, and task definitions with IAM roles, logging, load balancer integration, service discovery, capacity providers, and Fargate or EC2 runtime settings.
4 controls3 frameworks
EKSEKS clusters with managed node groups, Fargate profiles, cluster encryption, IAM and OIDC integration, VPC networking, control plane logging, security groups, and core add-ons.
4 controls10 frameworks
ECRECR repositories with image scanning, immutable tags, KMS encryption, lifecycle policies, repository policies, replication, and controlled push and pull access.
2 controls8 frameworks
Networking & Edge
ALB
Application Load Balancers with listeners, listener rules, target groups, TLS certificates, access logs, WAF integration, and security group restricted ingress.
11 controls23 frameworks
CloudFrontCloudFront distributions with origins, origin access control, TLS certificates, cache behaviors, WAF association, logging, geo restrictions, and HTTPS only content delivery.
10 controls10 frameworks
ELBClassic Load Balancers with listeners, health checks, SSL certificates, cross zone balancing, connection draining, access logging, and security group controlled ingress.
4 controls16 frameworks
Network FirewallAWS Network Firewall rule groups, firewall policies, firewalls, logging destinations, stateless and stateful inspection rules, and subnet placement for traffic filtering.
4 controls3 frameworks
VPCVPCs with public and private subnets, route tables, NAT gateways, Internet gateways, VPC endpoints, flow logs, network ACLs, and security group foundations for workload isolation.
1 controls15 frameworks
VPN GatewaySite to site VPN connections with customer gateways, VPN gateways or transit gateway attachments, tunnels, routing propagation, and encrypted connectivity between on premises networks and AWS.
1 controls
Databases, Caching & Analytics
DMS
Database Migration Service replication instances, source and target endpoints, replication tasks, subnet groups, logging, and controlled network placement for data migration.
3 controls16 frameworks
DynamoDB TableDynamoDB tables with server side encryption, point in time recovery, TTL, streams, autoscaling, global tables, IAM access controls, and backup oriented settings.
4 controls20 frameworks
ElasticacheRedis or Memcached clusters and replication groups with subnet groups, security groups, transit and at rest encryption, auth tokens, parameter groups, and automatic failover.
6 controls19 frameworks
OpenSearchOpenSearch domains with VPC placement, encryption at rest, node to node encryption, fine grained access control, audit logs, TLS enforcement, and snapshot configuration.
11 controls21 frameworks
RDSRDS instances with subnet groups, security groups, storage encryption, automated backups, maintenance windows, performance insights, IAM authentication, and log exports.
19 controls27 frameworks
RDS AuroraAurora clusters and instances with private subnet placement, storage encryption, automated backups, reader endpoints, IAM authentication, log exports, and multi AZ high availability.
10 controls15 frameworks
RedshiftRedshift clusters or serverless workgroups with VPC networking, encryption, audit logging, snapshot settings, parameter groups, enhanced VPC routing, and controlled access.
13 controls23 frameworks
EMREMR clusters and instance groups with security configurations, encryption in transit and at rest, Kerberos, IAM roles, bootstrap actions, logging, and deployment in private subnets.
2 controls9 frameworks
Security, Keys & Configuration
ACM
ACM certificates and validation records for public or private TLS, certificate renewal, and associations used by load balancers, CloudFront distributions, and APIs.
3 controls5 frameworks
KMSKMS keys, aliases, grants, key policies, rotation, multi Region options, and tightly scoped permissions used to encrypt data across AWS services.
1 controls21 frameworks
Secrets ManagerSecrets, secret versions, rotation schedules, KMS encryption, resource policies, replication, and controlled retrieval of database passwords, API keys, and tokens.
1 controls7 frameworks
SSM ParameterSystems Manager Parameter Store parameters with KMS encryption, parameter policies, versioning, tier selection, and controlled access to application configuration and secret values.
1 controls1 frameworks
Messaging & Streaming
MSK Kafka Cluster
MSK clusters with broker configuration, encryption in transit and at rest, client authentication, logging, VPC networking, and cluster policies for streaming workloads.
3 controls5 frameworks
SNSSNS topics and subscriptions with KMS encryption, topic policies, delivery policies, dead letter configuration, and controlled fan out of events and notifications.
1 controls18 frameworks
SQSSQS queues with server side encryption, access policies, FIFO options, visibility timeout, redrive policies, and dead letter queues for durable message processing.
3 controls3 frameworks
API & Application Integration
API Gateway v2
HTTP and WebSocket APIs with routes, stages, custom domains, TLS certificates, access logs, JWT or Lambda authorizers, throttling, and private or public integrations.
1 controls6 frameworks
AppSyncGraphQL APIs with resolvers, data sources, API keys or IAM and Cognito authentication, logging, caching, custom domains, and fine grained access patterns.
4 controls6 frameworks
Step FunctionsState machines with IAM execution roles, logging, tracing, retries, timeouts, and workflow definitions for auditable application orchestration.
1 controls6 frameworks